Got a last minute request to set permission to more than 200 over OUs. Each OU are to be granted the rights to reset password and unlock users accounts to specific domain user groups.

If you were to use the GUI method to grant password reset rights, it will works! But how about the rights to unlock user accounts in the OU? And are you going to do that for all the 200 over OUs one by one?!

For unlock account rights, note that you need to configure “Allow” for both “Read LockoutTime” and “Write LockoutTime” (shown in the picture below)

So.. just imagine if one were to use GUI method to configure all the 200 over OUs.. Haha. One is effort and the other is how to ensure that there will not mistake after a while?

Well, this is time when our good old “DS” commands can come into handy!

First, we find out what will the GUI method to grant user groups rights to reset user password…

Setting One

Setting Two

For Unlock Of User account, Following needs to set.

Therefore, the command to use to achieve above settings are shown as below:

Setting 1 – Part 1 of Granting User Group A to Reset Password for User in Team A OU